Employee-Owned Device Management an Art Unto Itself

Just like at a BYOB party, things can get a little out of control when employees bring their own devices onto the company network. The bring-your-own-device (BYOD) revolution can pose security issues and present headaches for IT departments that are constantly fielding calls from frantic users who find that an application is no longer working on their laptop or their new iPad can't access network files for a crucial presentation they are giving in just minutes.

"It is certainly a hot topic, and getting even more attention as companies add more software and applications," says Jim Tate, operations liaison director for PC Helps, a Bala Cynwyd, Pa.-based provider of on-demand support for software and mobile devices. "People find it inconvenient to carry two or three devices and they just want to use their own device for doing everything."

He says that BYOD is a business issue as well as an IT issue. "The IT department needs to get the business owners involved as they draft specific policies about use of personal devices. Depending on the types of business or department, they may want to open things up or limit access. It is a matter of maintaining a balance between the needs of the business and providing support."

Jonathan Gossels, CEO of SystemExperts, a Sudbury, Mass.-based security and compliance consultancy, says there are ways to protect sensitive company data while allowing employees to use their own devices.

"Historically, most organizations banned employee-owned devices from corporate networks," he said. "There were two primary reasons: they were a constant source of malware entering the corporate infrastructure and a source of data leakage. With the advent of smartphones, tablets and the like, the risks have only increased. Today, we are carrying around powerful computers in our pockets and they are highly vulnerable to loss and theft.  Most are configured by default for ease of use, not security. In the past, organizations issued portable devices, configured them with necessary security software [such as anti-virus and encryption], and mandated appropriate use. That remains the best practice."

For organizations that are choosing to allow employee-owned devices, security awareness training is critical, he said. Employees need to understand the risks involved and practice safe Internet usage. "They need to understand that it is a bad practice to receive email containing confidential information on an unprotected smartphone," he said. "IT departments have a hard job even when they can control the physical environment; it becomes an impossible job when they can't."

Mobile application management

With regard to policies and processes, many companies are now using mobile application management (MAM) to remotely deploy, manage, update and wipe applications from employee devices over the air, said Ken Singer, CEO and co-founder of San Francisco-based AppCentral, a provider of mobile application management solutions for enterprises. "This is done instantly, and corporate apps with sensitive, proprietary information are removed from the device, eliminating panic within the company," he said.

This is helpful for security, but it is also critical for making sure everyone has the same application and versions/updates at all times, Singer said. "If a sales team needs access to a specific sales app, IT can leverage an MAM solution to ensure that each member has the same app and updates."

"It's important to give IT flexible options for handling end users so as not to be too draconian with your controls," says Paul Paget, CEO of Savant Protection, a security firm based in Hudson, N.H. A flexible application control and whitelisting product can be a helpful complement, he said.

"One option is to give end users permission to request a software download while another may be to install pre-approved apps, and yet another to totally prevent the installation of new applications all together," he said. "In using app control or app whitelisting, IT can better monitor and control the end user environment so that applications that may conflict or cause problems with devices can be prevented from installing and breaking the device. It also helps to prevent unknown malware and the spread of anything malicious to other devices, stopping the proliferation of even more problems across a network of computers."

Personal and corporate data

There is a blending of personal and professional information on these devices, which can be a challenge for IT when data has to be removed, said David Meadows, managing director of the discovery consulting practice for Kroll Ontrack, a consulting firm. "You have a lot of compliance and liability issues that have to be addressed," he said. "This is especially important when data has to be collected for a legal issue or an investigation, as many people have co-mingled their corporate and personal worlds. There is corporate financial data mixed in with pictures of the kids. "

He says that most smartphones have been standardized, making support easier, but laptops can provide more of a challenge. “Especially as there is a trend toward the Mac, and changes are more subtle when it comes to the operating system. I noticed the other day when I was trying to find a setting on the Mac and it had been moved."

Meadows said that outside devices should be limited to email access and that file-sharing and network access should only be done on a corporate devices. He said that IT departments should be aware that employees could use Dropbox or other file-sharing services and spread their data around to additional devices via the syncing feature of that service, which could create legal and security issues. He also said that companies should mandate that all devices acessing corporate data have up-to-date anti-virus software.

With employees having their own devices that are faster and more sophisticated than company-provided hardware, he said that they have come to expect to be able to use their own devices. "It has almost become an employee retention issue," he said.